VAG-COM/VCDS EVERYTHING

**crouchinggerbil** · 28th December, 2020, 11:13 PM

Originally Posted by AlexKudry

hallo badrax, please, can you write the link where to buy that one on the right. Thank you

It only looks nicer with the gold plate

**badrax** · 29th December, 2020, 12:19 AM

Looks like the dumper is working

Sent from my iPhone using Tapatalk

**badrax** · 29th December, 2020, 12:20 AM

Originally Posted by AlexKudry

hallo badrax, please, can you write the link where to buy that one on the right. Thank you

The seller I bought from (aliexpress ) is not selling this version any more. He is now selling the upgradable version.

Sent from my iPhone using Tapatalk

**badrax** · 29th December, 2020, 02:27 AM

Have now successfully dumped about 100KB from the chip that including the whole bootloader starting at address 0x08000000

Sector 0 - 0x08000000 16K <- Bootloader start (max: 64KB)
Sector 1 - 0x08004000 16K
Sector 2 - 0x08008000 16K
Sector 3 - 0x0800C000 16K
Sector 4 - 0x08010000 64K <- Firmware (max: 960KB) (Found new Vector Table here)
Sector 5 - 0x08020000 128K
Sector 6 - 0x08040000 128K
Sector 7 - 0x08060000 128K
Sector 8 - 0x08080000 128K
Sector 9 - 0x080A0000 128K
Sector 10 - 0x080C0000 128K
Sector 11 - 0x080E0000 128K

Some strings I could see in the bootloader. Perhaps anyone recognize them?

Ross-Tech HEX-V2
Hex Microsystems
0000001 HID Config HID Interface
9900110000546AA457170F9230
990001000046FED4EB61F7E1E3
990011000059233FED922564F5
LSVCD2BM8FN090035
WriteFlash Num OK:
CRC EORROR
Flash update successful!!!
VCDS V2-HEX
SN EORROR

So if this chip (STM32F415) contains a bootloader then it also should support updates yes?

**flyfvdi** · 29th December, 2020, 02:58 AM

Originally Posted by badrax

Update the windows exe file or the STM32F405 firmware?
If it updates the STM chip then is the new firmware embedded in the VIIPlusLoader or will the FW be downloaded from VCDS server?

VCDS Hex-V2 with main chip STM32F405VGT6 without ross-tech v2 firmware

VCDS Hex-V2 with main chip STM32F405VGT6 with itself firmware

**flyfvdi** · 29th December, 2020, 03:01 AM

Originally Posted by badrax

Can someone tell me if the cable on the right support updates?
It uses the 405 chip but I bought it as a 20.4.1 only before these upgradable cables was on sale.

Cable on the left is the 415 and if I understand this correctly this does not support updates? Or at least not using the VIILoader?
This is the chip I will try to dump and see whats on it.

Sent from my iPhone using Tapatalk

vcds hex v2 pcb-006.jpg

just this kind of VCDS Hex-V2 with main chip STM32F405VGT6 support update freely forever

**flyfvdi** · 29th December, 2020, 03:15 AM

Originally Posted by badrax

Have now successfully dumped about 100KB from the chip that including the whole bootloader starting at address 0x08000000

Sector 0 - 0x08000000 16K <- Bootloader start (max: 64KB)
Sector 1 - 0x08004000 16K
Sector 2 - 0x08008000 16K
Sector 3 - 0x0800C000 16K
Sector 4 - 0x08010000 64K <- Firmware (max: 960KB) (Found new Vector Table here)
Sector 5 - 0x08020000 128K
Sector 6 - 0x08040000 128K
Sector 7 - 0x08060000 128K
Sector 8 - 0x08080000 128K
Sector 9 - 0x080A0000 128K
Sector 10 - 0x080C0000 128K
Sector 11 - 0x080E0000 128K

Some strings I could see in the bootloader. Perhaps anyone recognize them?

Ross-Tech HEX-V2
Hex Microsystems
0000001 HID Config HID Interface
9900110000546AA457170F9230
990001000046FED4EB61F7E1E3
990011000059233FED922564F5
LSVCD2BM8FN090035
WriteFlash Num OK:
CRC EORROR
Flash update successful!!!
VCDS V2-HEX
SN EORROR

So if this chip (STM32F415) contains a bootloader then it also should support updates yes?

VCDS Hex-V2 with main chip STM32F415 has many problems, it is actually v1 , do not support update

**bg17aw** · 29th December, 2020, 10:32 AM

flyfvdi seems like a robot, repeating the same thing over and over again.

@badrax, did you notice these V2 cables are not visible in Device Manager? How is that possible? Just trying to understand how they work.

**jan4** · 29th December, 2020, 01:54 PM

hid device 405 ;

USB\VID_0483&PID_A0CB&REV_0200

**badrax** · 29th December, 2020, 08:05 PM

Looking at the bootloader from the STMF415 chip I believe it supports upgrades in some way?
It uses 256bits AES in CBC mode with a hardcoded key located in flash for decryption. IV is also stored in the flash

memcpy(g_aes_key, &aes_key1, 32);
do_aes_decrypt(g_aes_key, 2048, byte_2000217A, byte_20001574);

**Col19** · 29th December, 2020, 11:10 PM

Hi DK team

Thanks to King Badrax for sharing experience, the new Kolimer ? Kolibadrax

**flyfvdi** · 30th December, 2020, 03:47 AM

Originally Posted by bg17aw

flyfvdi seems like a robot, repeating the same thing over and over again.

@badrax, did you notice these V2 cables are not visible in Device Manager? How is that possible? Just trying to understand how they work.

sorry , my friend , i am a human, we are just talking about vcds hex-v2, which is the best , which is better , which is not good , which is bad.

so people can decide which to buy, which not to buy.

i hope i can help the vcds hex-v2 buyer.

if the vcds hex-v2 old user has any problem, i hope we can help resolve the problem.

**badrax** · 30th December, 2020, 03:22 PM

Did anyone try to use a USB sniffer/packet capture software to see what is actually sent to the STM chip when firmware upgrading?
Since I don't have a clone that support upgrade I would really like to see what it sent over the USB cable and see if the AES key I have can decrypt this data.

**badrax** · 30th December, 2020, 03:52 PM

Here is an explanation on how companies usually do a firmware upgrade on these devices. Sorry for explaining the obvious but some might not be familiar on how this work and to get everyone on the same page then... you get it

The STM chip is more or less always read protected and the F4 series support read protect level 1 (RDP1) and level 2 (RDP2)
For RDP1 the flash memory is not readable but ram is and you can connect a debugger and read out the RAM from the chip
For RDP2 the debug interface is completely disabled (jtag fused if we should believe STM) and you can NOT access the chip using a debugger.
However I have successfully dumped both RDP1 and RDP2 protected chips but RDP2 require double glitching and some extra work

The STM chip contains a bootloader and a firmware. In this case the bootloader is at address 0x08000000 and the firmware is at address 0x08010000 (for the 415 chip I have. I know this coz I have dumped the bootloader from the chip using VCC glitching)
The STM chip contains a lot of sectors and when programing you can only switch a bit from "1" to "0". This is why you will have to do a whole sector easer before you can program it. An erase will set all bits to "1" and and empty sector will contain only 0xFF etc.
Here are all sectors found on the F4 series. (This is for the G marketing having 1 meg of flash. VGT etc)

Sector 0 - 0x08000000 16K <- Bootloader start (max: 64KB)
Sector 1 - 0x08004000 16K
Sector 2 - 0x08008000 16K
Sector 3 - 0x0800C000 16K
Sector 4 - 0x08010000 64K <- Firmware (max: 960KB)
Sector 5 - 0x08020000 128K
Sector 6 - 0x08040000 128K
Sector 7 - 0x08060000 128K
Sector 8 - 0x08080000 128K
Sector 9 - 0x080A0000 128K
Sector 10 - 0x080C0000 128K
Sector 11 - 0x080E0000 128K

The chip can only erase one whole sector or multiple sectors and you will therefore see the FW located on a sector boundary. In this case Sector 4 - 0x08010000.

Now to do a firmware upgrade the PC software usually sends a command to the running firmware and ask it to jump to the bootloader. After this the bootloader takes over and the PC starts sending the new firmware to the chip. Bootloader will first erase the current firmware for so to write in the new one. The new firmware sent to the chip is usually encrypted using some public/privet key or just a hard coded symmetric key (attow I found AES in CBC mode and suspect they use this) that the bootloader know. Bootloader will now decrypt this new firmware and write it to it's location. After receiving the whole firmware some CRC is generated and if all is good the bootloader will jump to the new firmware and give it control.

Now. If you can read out the bootloader it is usually game over for any one/company using this method.

To test if the AES key I have is working I need some encrypted firmware to test on and if someone have one or can sniff the USB while firmware upgrading then that would be great.

regards

Edit:
Just to clarify regarding the bootloader.
The bootloader I refer to here is a custom bootloader made by the user / company (require some flash memory) and is not the bootloader that is embedded on the chip from STM.
The STM bootloader is located in ROM and can not be deleted. This bootloader is often called the system bootloader and can be found at address 0x1FFF0000 followed by the OTP area. You can access this bootloader by setting the boot0 pin high "1"